sven/ulogger-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: html encode special characters

Browse Source
This commit is contained in:
Bartek Fabiszewski 2017-04-14 16:00:53 +02:00
parent e89d30bb98
commit 77d1a5a012
4 changed files with 28 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
index.php
View File

@ -108,7 +108,7 @@
<?php if ($user->isValid): ?> <?php if ($user->isValid): ?>
<div id="user_menu"> <div id="user_menu">
<a href="javascript:void(0);" onclick="userMenu()"><img class="icon" alt="<?= $lang["user"] ?>" src="images/user.svg"> <?= $user->login ?></a> <a href="javascript:void(0);" onclick="userMenu()"><img class="icon" alt="<?= $lang["user"] ?>" src="images/user.svg"> <?= htmlspecialchars($user->login) ?></a>
<div id="user_dropdown" class="dropdown"> <div id="user_dropdown" class="dropdown">
<a href="javascript:void(0)" onclick="changePass()"><img class="icon" alt="<?= $lang["changepass"] ?>" src="images/lock.svg"> <?= $lang["changepass"] ?></a> <a href="javascript:void(0)" onclick="changePass()"><img class="icon" alt="<?= $lang["changepass"] ?>" src="images/lock.svg"> <?= $lang["changepass"] ?></a>
<a href="utils/logout.php"><img class="icon" alt="<?= $lang["logout"] ?>" src="images/poweroff.svg"> <?= $lang["logout"] ?></a> <a href="utils/logout.php"><img class="icon" alt="<?= $lang["logout"] ?>" src="images/poweroff.svg"> <?= $lang["logout"] ?></a>
@ -125,7 +125,7 @@
<select name="user" onchange="selectUser(this);"> <select name="user" onchange="selectUser(this);">
<option value="0"><?= $lang["suser"] ?></option> <option value="0"><?= $lang["suser"] ?></option>
<?php foreach ($usersArr as $aUser): ?> <?php foreach ($usersArr as $aUser): ?>
<option <?= ($aUser->id == $displayUserId) ? "selected " : "" ?>value="<?= $aUser->id ?>"><?= $aUser->login ?></option> <option <?= ($aUser->id == $displayUserId) ? "selected " : "" ?>value="<?= $aUser->id ?>"><?= htmlspecialchars($aUser->login) ?></option>
<?php endforeach; ?> <?php endforeach; ?>
</select> </select>
</form> </form>
@ -137,12 +137,12 @@
<form> <form>
<select name="track" onchange="selectTrack(this)"> <select name="track" onchange="selectTrack(this)">
<?php foreach ($tracksArr as $aTrack): ?> <?php foreach ($tracksArr as $aTrack): ?>
<option value="<?= $aTrack->id ?>"><?= $aTrack->name ?></option> <option value="<?= $aTrack->id ?>"><?= htmlspecialchars($aTrack->name) ?></option>
<?php endforeach; ?> <?php endforeach; ?>
</select> </select>
<input id="latest" type="checkbox" onchange="toggleLatest();"> <?= $lang["latest"] ?><br> <input id="latest" type="checkbox" onchange="toggleLatest();"> <?= $lang["latest"] ?><br>
</form> <input type="checkbox" onchange="autoReload();"> <?= $lang["autoreload"] ?> (<a href="javascript:void(0);" onclick="setTime();"><span id="auto"><?= $config::$interval ?></span></a> s)<br>
<input type="checkbox" onchange="autoReload();"><?= $lang["autoreload"] ?> (<a href="javascript:void(0);" onclick="setTime();"><span id="auto"><?= $config::$interval ?></span></a> s)<br> </form>
<a href="javascript:void(0);" onclick="loadTrack(userid, trackid, 0);"> <?= $lang["reload"] ?></a><br> <a href="javascript:void(0);" onclick="loadTrack(userid, trackid, 0);"> <?= $lang["reload"] ?></a><br>
</div> </div>

6
js/admin.js
View File

@ -33,12 +33,12 @@ function editUser() {
alert(lang['selfeditwarn']); alert(lang['selfeditwarn']);
return; return;
} }
var message = '<div style="float:left">' + sprintf(lang['editinguser'], '<b>' + userLogin + '</b>') + '</div>'; var message = '<div style="float:left">' + sprintf(lang['editinguser'], '<b>' + htmlEncode(userLogin) + '</b>') + '</div>';
message += '<div class="red-button"><b><a href="javascript:void(0);" onclick="submitUser(\'delete\'); return false">' + lang['deluser'] + '</a></b></div>'; message += '<div class="red-button"><b><a href="javascript:void(0);" onclick="submitUser(\'delete\'); return false">' + lang['deluser'] + '</a></b></div>';
message += '<div style="clear: both; padding-bottom: 1em;"></div>'; message += '<div style="clear: both; padding-bottom: 1em;"></div>';
var form = '<form id="userForm" method="post" onsubmit="submitUser(\'update\'); return false">'; var form = '<form id="userForm" method="post" onsubmit="submitUser(\'update\'); return false">';
form += '<input type="hidden" name="login" value="' + userLogin + '">'; form += '<input type="hidden" name="login" value="' + htmlEncode(userLogin) + '">';
form += '<label><b>' + lang['password'] + '</b></label><input type="password" placeholder="' + lang['passwordenter'] + '" name="pass" required>'; form += '<label><b>' + lang['password'] + '</b></label><input type="password" placeholder="' + lang['passwordenter'] + '" name="pass" required>';
form += '<label><b>' + lang['passwordrepeat'] + '</b></label><input type="password" placeholder="' + lang['passwordenter'] + '" name="pass2" required>'; form += '<label><b>' + lang['passwordrepeat'] + '</b></label><input type="password" placeholder="' + lang['passwordenter'] + '" name="pass2" required>';
form += '<div class="buttons"><button type="button" onclick="removeModal()">' + lang['cancel'] + '</button><button type="submit">' + lang['submit'] + '</button></div>'; form += '<div class="buttons"><button type="button" onclick="removeModal()">' + lang['cancel'] + '</button><button type="submit">' + lang['submit'] + '</button></div>';
@ -52,7 +52,7 @@ function confirmedDelete(login) {
function submitUser(action) { function submitUser(action) {
var form = document.getElementById('userForm'); var form = document.getElementById('userForm');
var login = form.elements['login'].value; var login = form.elements['login'].value.trim();
if (!login) { if (!login) {
alert(lang['allrequired']); alert(lang['allrequired']);
return; return;

24
js/main.js
View File

@ -194,11 +194,11 @@ function getPopupHtml(p, i, count) {
popup = popup =
'<div id="popup">' + '<div id="popup">' +
'<div id="pheader">' + '<div id="pheader">' +
'<div><img alt="' + lang['user'] + '" title="' + lang['user'] + '" src="images/user_dark.svg"> ' + p.username + '</div>' + '<div><img alt="' + lang['user'] + '" title="' + lang['user'] + '" src="images/user_dark.svg"> ' + htmlEncode(p.username) + '</div>' +
'<div><img alt="' + lang['track'] + '" title="' + lang['track'] + '" src="images/route_dark.svg"> ' + p.trackname + '</div>' + '<div><img alt="' + lang['track'] + '" title="' + lang['track'] + '" src="images/route_dark.svg"> ' + htmlEncode(p.trackname) + '</div>' +
'</div>' + '</div>' +
'<div id="pbody">' + '<div id="pbody">' +
((p.comments != null) ? '<div id="pcomments">' + p.comments + '</div>' : '') + ((p.comments != null) ? '<div id="pcomments">' + htmlEncode(p.comments) + '</div>' : '') +
'<div id="pleft">' + '<div id="pleft">' +
'<img class="icon" alt="' + lang['time'] + '" title="' + lang['time'] + '" src="images/calendar_dark.svg"> ' + date + '<br>' + '<img class="icon" alt="' + lang['time'] + '" title="' + lang['time'] + '" src="images/calendar_dark.svg"> ' + date + '<br>' +
'<img class="icon" alt="' + lang['time'] + '" title="' + lang['time'] + '" src="images/clock_dark.svg"> ' + time + '<br>' + '<img class="icon" alt="' + lang['time'] + '" title="' + lang['time'] + '" src="images/clock_dark.svg"> ' + time + '<br>' +
@ -319,7 +319,7 @@ function fillOptions(xml) {
var trackname = getNode(tracks[i], 'trackname'); var trackname = getNode(tracks[i], 'trackname');
var option = document.createElement("option"); var option = document.createElement("option");
option.value = trackid; option.value = trackid;
option.innerHTML = trackname; option.innerHTML = htmlEncode(trackname);
trackSelect.appendChild(option); trackSelect.appendChild(option);
} }
var defaultTrack = getNode(tracks[0], 'trackid'); var defaultTrack = getNode(tracks[0], 'trackid');
@ -497,4 +497,18 @@ function sprintf() {
if (match == '%%') { return '%'; } if (match == '%%') { return '%'; }
return (typeof args[i] != 'undefined') ? args[i++] : match; return (typeof args[i] != 'undefined') ? args[i++] : match;
}); });
}; };
function htmlEncode(s) {
return s.replace(/&/g, '&amp;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#39;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;');
}
if (!String.prototype.trim) {
String.prototype.trim = function () {
return this.replace(/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g, '');
};
}

2
utils/download.php
View File

@ -131,7 +131,7 @@ if ($trackId && $userId) {
$xml->writeAttribute("id", "point_{$position->id}"); $xml->writeAttribute("id", "point_{$position->id}");
$description = $description =
"<div style=\"font-weight: bolder; padding-bottom: 10px; border-bottom: 1px solid gray;\">" . "<div style=\"font-weight: bolder; padding-bottom: 10px; border-bottom: 1px solid gray;\">" .
"{$lang["user"]}: {$position->userLogin}<br>{$lang["track"]}: {$position->trackName}" . "{$lang["user"]}: " . htmlspecialchars($position->userLogin) . "<br>{$lang["track"]}: " . htmlspecialchars($position->trackName) .
"</div>" . "</div>" .
"<div>" . "<div>" .
"<div style=\"padding-top: 10px;\"><b>{$lang["time"]}:</b> {$position->time}<br>" . "<div style=\"padding-top: 10px;\"><b>{$lang["time"]}:</b> {$position->time}<br>" .